IDEXX Laboratories Inc.: 10-K Risk Factor Changes

We rely on our information systems and third-party information systems to provide access to our web-based products and services, keep financial records, analyze results of operations, process orders and shipments, manage inventory, store confidential or proprietary information, and operate other critical functions. In addition, some of our products and services are cloud-based and connect to the “Internet of Things” (“IoT”), including information systems that collect and use data on behalf of customers (e.g., veterinary practice management systems and customer communication tools and services) and our connected IoT devices (e.g., IDEXX VetLab Stations and analyzers) that enable our integrated, comprehensive diagnostic solution for veterinary practices, and these products and services rely on third-party providers for cloud computing and storage. These information systems and networks are susceptible to damage, disruption, or shutdown from multiple factors, including failures during the process of upgrading or replacing software, databases, or components; power outages; telecommunications or system failures; terrorist attacks; natural disasters; individual error or malfeasance; server or cloud provider breaches; computer viruses or cyber security attacks or other breaches or incidents. Although we maintain security policies and measures and internal controls, employ system backup measures, engage in redundancy planning and processes, and invest in our data and information technology infrastructure, such policies, measures, controls, planning processes, and investments, as well as our current disaster recovery plans, have not always been effective, and there can be no assurance that these (or any future efforts) will be effective, in preventing any information system or network damage, disruption, or shutdown. The continued use of remote and hybrid work arrangements may additionally result in some increased risk associated with our employees accessing our data and systems remotely. In addition, the use of AI and other emerging technologies by threat actors is growing, enabling more sophisticated and effective cybersecurity attacks and phishing and social engineering schemes and further increasing attack volume and frequency. Our software and some of our other products and services incorporate or rely on information technology and systems that are highly technical and complex, and the timely development, testing, release and deployment of software updates are important for defending against security vulnerabilities. If we or our business partners and suppliers fail to timely develop, test and deploy software updates, the security of our and our customers’ networks and information systems may be at risk. Vulnerabilities may persist even after a software update is released if the update fails to address the vulnerability’s root cause or is otherwise insufficient, testing of the update delays its timely deployment, there is a failure to install the most recent updates, or customers persist in using solutions that are end of life and no longer receive updates. Furthermore, updates or other software changes can lead to software or system inoperability or inadvertently introduce security vulnerabilities, including vulnerabilities that had been previously remedied or from malicious code injected in a “supply chain” cyberattack. In addition, in some cases, we rely on third-party providers to develop, test and release software updates on a timely basis, and there can be no assurance that these third-party providers will timely or effectively remedy vulnerabilities. We, and some of our third-party vendors, have experienced cybersecurity attacks by threat actors (which may include state-sponsored organizations or nation state actors) and other cybersecurity breaches and incidents in the past, including, among other things, computer viruses and malware, ransomware, denial of service actions, phishing schemes, social engineering, the compromise, misappropriation and/or unauthorized access to (or acquisition or disclosure of) confidential or 25 25 25 otherwise protected information, and similar events, and will likely experience further attacks, breaches and incidents in the future, potentially with more frequency. To our knowledge, none have resulted in any material adverse impact to the Company, our business strategy, results of operations or financial condition. We have adopted measures to mitigate potential risks associated with information technology disruptions and cybersecurity threats; however, given the unpredictability of the timing, nature, and scope of such disruptions and the evolving nature of cybersecurity threats, which vary in technique and sources, if we or our business partners or suppliers were to experience a system disruption, attack or security breach or incident that impacts any of our critical functions, or our customers were to experience a system disruption, attack or security breach or incident via any of our software or connected IoT products and services, we could be subject to production downtimes, operational and/or productivity delays, other detrimental impacts on our operations or ability to provide products and services to our customers, the compromise, misappropriation and/or unauthorized access to (or acquisition or disclosure of) confidential or otherwise protected information, destruction or corruption of data, security breaches, other manipulation or misuse of our systems or networks, financial losses and additional costs from remedial actions, repairs to infrastructure, physical systems or data processing systems, increased cybersecurity and information technology protection costs, loss of business or potential liability, and/or damage to our reputation, any of which could have a material adverse effect on our business strategy, competitive position, results of operations, cash flows, financial condition, or prospects. We, our customers, and other users of our products and services also may not promptly learn of or have the ability to fully assess the magnitude or effects of a security vulnerability in connected IoT devices and networks, including the extent, if any, to which a vulnerability has been exploited. Additionally, we have acquired, and in the future may acquire, companies or assets that have less sophisticated information systems, cybersecurity practices, or training, which may result in an increased risk of cybersecurity attacks, breaches, or incidents. Our customers and/or employees could also face negative consequences such as the compromise of sensitive or critical information or systems. Furthermore, access to, public disclosure of, or other loss of data or information (including any of our confidential or proprietary information or personal data or information) as a result of an attack or security breach or incident has given, and in the future may give, rise to notification obligations to individuals, regulators, customers, employees, and others, and could result in governmental actions or private claims or proceedings, any of which could damage our reputation, cause a loss of confidence in our products and services, damage our ability to develop (and protect our rights to) our differentiated technologies, and have a material adverse effect on the Company, our business strategy, financial condition, results of operations, or prospects. While we maintain a cyber risk insurance policy, it may not cover any or all claims, costs or losses associated with all cybersecurity events. For more information regarding personal data and information privacy and data protection risks, refer to “Our operations and reputation may be impaired if we, our products, or our services do not comply with our global privacy policy or evolving laws, regulations, and industry standards regarding data privacy and protection” below.

We rely on our information systems, as well as third-party information systems, to provide access to our web-based products and services, keep financial records, analyze results of operations, process orders and shipments, manage inventory, store confidential or proprietary information, and operate other critical functions. In addition, some of our products and services include information systems that collect and use data on behalf of customers (e.g., veterinary practice management systems and customer communication tools and services), and some products and services rely on third-party providers for cloud computing and storage. Although we maintain security policies and measures, employ system backup measures, and engage in redundancy planning and processes, such policies, measures, planning and processes, as well as our current disaster recovery plans, may be ineffective or inadequate to address all eventualities. Further, our information systems and our business partners’ and suppliers’ information systems have experienced, and will likely continue to experience, attacks by hackers and other threat actors and other cybersecurity breaches and incidents, including, among other things, computer viruses and malware, ransomware, denial of service actions, phishing schemes, the compromise, misappropriation and/or unauthorized acquisition or disclosure of confidential or otherwise protected information and similar events through the internet (including via devices and applications connected to the internet), and through email attachments and persons with access to these information systems, such as our employees or third parties with whom we do business. The continued use of remote and hybrid work arrangements may additionally result in some increased risk associated with our employees accessing our data and systems remotely. In addition, security industry experts and government officials have warned about the risks of threat actors, such as hackers, nation state actors, and organized groups, targeting U.S. organizations, and recent developments in the cyber threat landscape include the growing use of AI, which could enable or create more sophisticated cybersecurity attacks and increase attack volume and frequency. As information systems and the use of software and related applications by us, our business partners, suppliers, and customers become more cloud-based and connected to the “Internet of Things” (“IoT”), there has been an increase in global cybersecurity vulnerabilities and threats, including more sophisticated and targeted cyber-related attacks that pose a risk to the security of our information systems and networks and the security, confidentiality, availability and integrity of data and information. We process credit card payments electronically over secure networks and offer IoT products and services, such as our connected devices (e.g., IDEXX VetLab instruments). Any such attack or breach could compromise our networks and the information stored thereon could be accessed, publicly disclosed, lost, or stolen. While we have implemented network security and internal control measures, especially for the purpose of protecting our connected products and services from cyberattacks, and invested in our data and information technology infrastructure, these efforts have not always been successful in preventing, and there can be no assurance that these efforts (or any future investments or efforts) will prevent, a system disruption, attack, or security breach. Our software and some of our other products and services incorporate or rely on information technology and systems that are highly technical and complex, and the timely development, testing, release and deployment of software updates are important for defending against security vulnerabilities. If we or our business partners and suppliers fail to timely develop, test and deploy software updates, the security of our and our customers’ networks and information systems may be at risk. Vulnerabilities may persist even after a software update is released if the update fails to address the vulnerability’s root cause or is otherwise insufficient, testing of the update delays its timely deployment, there is a failure to install the most recent updates, or customers persist in using solutions that are end of life and no longer receive updates. Furthermore, updates or other software changes can lead to software or system inoperability or inadvertently introduce security vulnerabilities, including vulnerabilities 25 25 25 that had been previously remedied or from malicious code injected in a “supply chain” cyberattack. In addition, in some cases, we rely on third-party providers to develop, test and release software updates on a timely basis, and there can be no assurance that these third-party providers will timely or effectively remedy vulnerabilities. We, and some of our third-party vendors, have experienced cybersecurity attacks and incidents in the past and will likely experience further attacks and incidents in the future, potentially with more frequency. To our knowledge, none have resulted in any material adverse impact to the Company, our business strategy, results of operations or financial condition. We have adopted measures to mitigate potential risks associated with information technology disruptions and cybersecurity threats; however, given the unpredictability of the timing, nature and scope of such disruptions and the evolving nature of cybersecurity threats, which vary in technique and sources, if we or our business partners or suppliers were to experience a system disruption, attack or security breach or incident that impacts any of our critical functions, or our customers were to experience a system disruption, attack or security breach or incident via any of our software or connected products and services, we could potentially be subject to production downtimes, operational and/or productivity delays, other detrimental impacts on our operations or ability to provide products and services to our customers, the compromise, misappropriation and/or unauthorized acquisition or disclosure of confidential or otherwise protected information, destruction or corruption of data, security breaches, other manipulation or misuse of our systems or networks, financial losses and additional costs from remedial actions, repairs to infrastructure, physical systems or data processing systems, increased cybersecurity and information technology protection costs, loss of business or potential liability, and/or damage to our reputation, any of which could have a material adverse effect on our business strategy, competitive position, results of operations, cash flows, financial condition, or prospects. Additionally, the post-acquisition integration process of acquired companies that may have less sophisticated information systems, cybersecurity practices, or training, may result in an increased risk of cybersecurity incidents. Our customers and/or employees could also face negative consequences such as the compromise of sensitive or critical information or systems. Furthermore, access to, public disclosure of, or other loss of data or information (including any of our confidential or proprietary information or personal data or information) as a result of an attack or security breach or incident has given, and in the future may give, rise to notification obligations to individuals, regulators, customers, employees, and others, and could result in governmental actions or private claims or proceedings, any of which could damage our reputation, cause a loss of confidence in our products and services, damage our ability to develop (and protect our rights to) our differentiated technologies and have a material adverse effect on the Company, our business strategy, financial condition, results of operations or prospects. While we maintain a cyber risk insurance policy intended to address risk of loss due to certain types of cybersecurity events, it may not cover any or all claims, costs or losses associated with such events. For more information regarding personal data and information privacy and data protection risks, refer to “Our operations and reputation may be impaired if we, our products, or our services do not comply with our global privacy policy or evolving laws and regulations regarding data privacy and protection” below.

The companion animal healthcare industry is highly competitive, and we anticipate increasing competition from both existing competitors and new sector entrants given our performance and the industry’s strong growth and returns. Maintaining or enhancing our growth rates and profitability depends on successful execution of many elements of our strategy, including: •Developing, manufacturing, and marketing innovative new or improved and cost competitive point-of-care laboratory analyzers that drive sales of IDEXX VetLab instruments, grow our installed base of instruments, and increase demand for related recurring sales of consumable products, services, and accessories; •Developing and introducing new or improved innovative diagnostic tests and services for both our reference laboratories and point-of-care applications that provide valuable medical information to our customers and effectively differentiate our products and services from those of our competitors; •Developing and introducing new or improved innovative, data-insightful software solutions that enable our veterinary customers to improve practice management and efficiency, staff productivity, and client engagement and communications and that increase the value to our customers of our other companion animal products and services by enhancing the integration of the information and transactions of these products and services and supporting the interpretation and management of diagnostic information derived from these products and services; •Maintaining premium pricing, including by effectively implementing price increases, for our products and services through, among other things, effective communication and promotion of their value in an environment where many of our competitors promote, market, and sell lesser offerings at lower prices; •Providing our veterinary customers with the medical and business tools, information, and resources that enable them to grow their practices and increase utilization of our diagnostic products and services through increased pet visits and preventive care protocol use, enhanced practice of real-time care, and improved practice efficiency; •Achieving cost improvements in our worldwide reference laboratory network by implementing global best practices, including lean processing techniques, technological enhancements (e.g., automation and a global laboratory information management system), purchasing strategies that maximize leverage from our global scale, increasing the leverage of existing infrastructure, and consolidating testing in high volume laboratory hubs; •Achieving cost improvements in the manufacture and service of our point-of-care laboratory analyzers by employing the benefits of economies of scale in both negotiating supply contracts and leveraging manufacturing overhead, and by improving reliability of our instruments; •Continuing to expand, develop, and advance the effectiveness and productivity of our companion animal diagnostic sales, marketing, customer support, and logistics organizations in the U.S. and international regions in support of, among other things, our all-direct sales strategies and best-in-class customer experience goals; •Attracting, developing, and retaining key leadership and talent necessary to support all elements of our strategy; •Strengthening our sales and marketing activities to reach customers and expand diagnostic and software use both in and outside the U.S.; •Identifying, completing, and integrating acquisitions that enhance our existing businesses, create new businesses for us, or expand the geographic areas in which we do business; 18 18 18 •Continuing to responsibly incorporate AI, machine learning, and automation into our products and services and associated business processes, such as customer support and software development; •Developing and implementing new technology and licensing strategies; and •Continuing to effectively manage our growth and expansion on a global scale through, among other things, designing and implementing cost-effective improvements to our processes, procedures, and infrastructure. If we are unsuccessful in implementing and executing on some or all of these strategies, our rate of growth or profitability may be negatively impacted.

The companion animal healthcare industry is highly competitive, and we anticipate increasing levels of competition from both existing competitors and new sector entrants given our performance and the industry’s strong growth and returns. Our ability to maintain or enhance our growth rates and our profitability depends on our successful execution of many elements of our strategy, including: •Developing, manufacturing, and marketing innovative new or improved and cost competitive in-clinic laboratory analyzers that drive sales of IDEXX VetLab instruments, grow our installed base of instruments, and increase demand for related recurring sales of consumable products, services, and accessories; •Developing and introducing new or improved innovative diagnostic tests and services for both our reference laboratories and in-clinic applications that provide valuable medical information to our customers and effectively differentiate our products and services from those of our competitors; •Developing and introducing new or improved innovative, data-insightful software solutions that enable our veterinary customers to improve practice management and efficiency, staff productivity, and client communications and that increase the value to our veterinary customers of our other companion animal products and services by enhancing the integration of the information and transactions of these products and services and supporting the interpretation and management of diagnostic information derived from these products and services; •Maintaining premium pricing, including by effectively implementing price increases, for our products and services through, among other things, effective communication and promotion of their value in an environment where many of our competitors promote, market, and sell lesser offerings at lower prices; •Providing our veterinary customers with the medical and business tools, information, and resources that enable them to grow their practices and increase utilization of our diagnostic products and services, through increased pet visits, use of preventive care protocols, enhanced practice of real-time care, and improved practice efficiency; •Achieving cost improvements in our worldwide network of reference laboratories by implementing global best practices, including lean processing techniques, incorporating technological enhancements, including laboratory automation and a global laboratory information management system, employing purchasing strategies to maximize leverage of our global scale, increasing the leverage of existing infrastructure and consolidating testing in high volume laboratory hubs; •Achieving cost improvements in the manufacture and service of our in-clinic laboratory analyzers by employing the benefits of economies of scale in both negotiating supply contracts and leveraging manufacturing overhead, and by improving reliability of our instruments; •Continuing to expand, develop, and advance the productivity of our companion animal diagnostic sales, marketing, customer support, and logistics organizations in the U.S. and international regions in support of, among other things, our all-direct sales strategies; •Attracting, developing, and retaining key leadership and talent necessary to support all elements of our strategy; •Strengthening our sales and marketing activities to continue to grow our profitability both in and outside the U.S.; •Identifying, completing, and integrating acquisitions that enhance our existing businesses, create new businesses for us or expand the geographic areas in which we do business; •Continuing to incorporate AI, machine learning, and automation into our products and services and associated business processes, such as customer support and software development; 18 18 18 •Developing and implementing new technology and licensing strategies; and •Continuing to effectively manage our growth and expansion on a global scale through, among other things, designing and implementing cost-effective improvements to our processes, procedures, and infrastructure. If we are unsuccessful in implementing and executing on some or all of these strategies, our rate of growth or profitability may be negatively impacted.

Our business operations involve the receipt, storage, transmission, and use of information, including personal data, about our customers, pet owners, suppliers, and employees. We collect and use personal data in a variety of ways. We offer products and services that collect and use personal data, including veterinary practice management systems, online customer communication tools and services, VetConnect PLUS, and two-way integration technology. Some of these products and services rely on third-party providers for cloud computing and storage. We also engage in e-commerce through various websites and collect contact and other personal data from our customers and website visitors, and some of our software products and services enable access to point-of-sale credit card processing functionality for our veterinary customers. In addition, we transfer information, including personal data, among IDEXX, our subsidiaries and third parties with which we have commercial relations for business purposes. Our collection, transfer, protection, security, retention, storage, disclosure, sharing and use of personal data are subject to expanding and increasingly complex laws and regulations in the U.S. and abroad. In addition, these laws and regulations continue to develop and are subject to frequent revisions (and generally have become more stringent over time), are subject to differing interpretations, may be applied inconsistently from jurisdiction to jurisdiction and could be deemed to be inconsistent with our current global privacy policy and data protection practices. Further, some of our customer contracts require us to comply with industry standards adopted by industry groups related to the storage, processing, and transmission of individual cardholder data. 28 28 28 While we maintain a program to monitor, assess, and comply with applicable global data privacy laws and relevant industry standards, compliance with these evolving requirements is costly, may require us to change our business practices in a manner adverse to our business, and may delay or impede the development and offering of innovative products and services. Additionally, public perception and standards related to the privacy of personal data can shift rapidly, in ways that may affect our reputation or influence regulators and industry groups in the U.S. and abroad to expand or adopt more stringent regulations, laws, and standards. As a global company, we are tasked with navigating a patchwork of privacy laws, both in the U.S. and abroad, which may have conflicting requirements that can make compliance challenging. Some examples include (but are not limited to) the California Consumer Privacy Act, as amended by the California Privacy Rights Act; various U.S. state consumer privacy laws that apply to our business operations within a respective state and/or a U.S. federal privacy law that may be passed in the future; the European Union’s General Data Protection Regulation (“GDPR”), Switzerland’s Federal Act on Data Protection, and the United Kingdom’s General Data Protection Regulation (“UK GDPR”), which impose stringent operational requirements for controllers and processors of personal data of individuals in the European Economic Area (“EEA”), Switzerland, and the United Kingdom (“UK”); the Brazilian General Data Protection Law; the Chinese Personal Information Protection Law; the Japanese Act on the Protection of Personal Information; and the Australian Privacy Act. An additional area of complexity concerns the restrictions on transfers of personal data from certain countries to others. We currently rely on a mixture of mechanisms to transfer certain personal data from the EEA, Switzerland, and the UK to the U.S. and other third countries including the EU-U.S. Data Privacy Framework (the “EU-U.S. DPF”), the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. DPF. A challenge to the EU-U.S. DPF adequacy decision, adopted in July of 2023, will be reviewed by the European Court of Justice, and international transfers to the U.S. and other jurisdictions generally continue to be subject to enhanced scrutiny by regulators. Any transfers by us or our vendors of personal data are subject to potential regulatory scrutiny and may increase our exposure under the GDPR, UK GDPR, and similar laws which contain cross-border personal data transfer heightened requirements and restrictions (such as the Chinese government standard contract for cross-border personal data transfers). Any failure or perceived failure by us, the third parties with whom we work, or our products and services to comply with all applicable privacy-related laws, regulations, and standards, as well as our contractual obligations, could result in damage to our reputation, legal proceedings or actions against us by governmental entities or others, fines and other penalties, damage to our ability to enable access to credit card processing functionality for our veterinary customers, and revenue losses, any of which could have an adverse effect on our business. In addition, concerns about our practices with regard to the collection, use, retention, transmission, disclosure, or security of personal data or other privacy-related matters, even if unfounded and even if we are in compliance with applicable laws, regulations, standards, and contractual obligations, could damage our reputation and harm our business.

Our business operations involves the receipt, storage and use of information, including personal data, about our customers, pet owners, suppliers, and employees. We collect and use personal data in a variety of ways. We offer products and services that collect and use personal data, including veterinary practice management systems, online customer communication tools and services, VetConnect PLUS, and two-way integration technology. Some of these products and services rely on third-party providers for cloud computing and storage. We also engage in e-commerce through various websites and collect contact and other personal data from our customers and website visitors. In addition, we transfer information, including personal data, among IDEXX, our subsidiaries and third parties with which we have commercial relations for business purposes. Our collection, transfer, protection, security, retention, storage, disclosure, sharing and use of personal data are subject to expanding and increasingly complex laws and regulations in the U.S. and abroad. In addition, these laws and regulations continue to develop and are subject to frequent revisions (and generally have become more stringent over time), are subject to differing interpretations, may be applied inconsistently from jurisdiction to jurisdiction and could be deemed to be inconsistent with our current global privacy policy and data protection practices. While we maintain a program to monitor, assess, and comply with applicable global data privacy laws, compliance with these evolving requirements can be costly, require us to change our business practices in a manner adverse to our business or delay or impede the development and offering of innovative products and services. Additionally, public perception and standards related to the privacy of personal data can shift rapidly, in ways that may affect our reputation or influence regulators in the U.S. and abroad to expand or adopt more stringent regulations and laws. As a global company, we are tasked with navigating a patchwork of privacy laws, both in the U.S. and abroad, which may have conflicting requirements that can make compliance challenging. Some examples of privacy laws include (but are not limited to) the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CPRA”), various U.S. state consumer privacy laws that apply to our business operations within a respective state and/or a U.S. federal privacy law that may be passed in the future; and the European Union’s General Data Protection Regulation (“GDPR”) and similar requirements adopted by the United Kingdom (“UK”) following the UK’s withdrawal from the European Union (“EU”) and the European Economic Area (“EEA”), which impose stringent operational requirements for controllers and processors of personal data of individuals in the EEA and UK. Additional examples include the China Personal Information Protection Law, the Brazilian General Data Protection Law, the South African Protection of Personal Information Act, the Amendments to the Japanese Act on the Protection of Personal Information, the New Zealand Privacy Act, the Australian Privacy and Other Legislation Amendment Bill and the India Digital Personal Data Protection Act. An additional area of complexity concerns the restrictions on transfers of personal data from certain countries to others. We currently rely on a mixture of mechanisms to transfer certain personal data from the EEA, Switzerland, and the UK to the U.S. and other third countries including the EU-U.S. Data Privacy Framework (the “EU-U.S. DPF”), the Swiss-U.S. Data Privacy Framework (the “Swiss-U.S. DPF”), and the UK Extension to the EU-U.S. DPF. We expect the EU-U.S. DPF adequacy decision, adopted in July of 2023, to be challenged and international transfers to the U.S. and to other jurisdictions more generally to continue to be subject to enhanced scrutiny by regulators. Any transfers by us or our vendors of personal data are subject to potential regulatory scrutiny and may increase our exposure under the GDPR, UK GDPR, and similar laws which contain cross-border personal data transfer heightened requirements and restrictions (such as the new Chinese government standard contract for cross-border personal data transfers). Any failure or perceived failure by us, the third parties with whom we work or our products and services to comply with all applicable privacy-related laws and regulations, as well as our contractual obligations, could result in damage to our reputation or legal proceedings or actions against us by governmental entities or others, any of which could have an adverse 29 29 29 effect on our business. In addition, concerns about our practices with regard to the collection, use, retention, disclosure, or security of personal data or other privacy-related matters, even if unfounded and even if we are in compliance with applicable laws and regulations, could damage our reputation and harm our business.

Our continued success is substantially dependent on our ability to attract, develop, and retain highly capable and skilled leaders, employees, and other key personnel. Competition for experienced leaders and employees, particularly for persons with specialized skills, such as software and AI, can be intense. Our ability to recruit and retain such talent will depend on a number of factors, including compensation and benefits, work location, flexibility regarding virtual and hybrid work arrangements, work environment, corporate culture, and development opportunities. The loss of the services of, or our failure to recruit or develop and implement effective succession plans for, our senior leadership, other key personnel, and employees may significantly delay or prevent the achievement of our strategic objectives, disrupt our operations, and adversely affect our business and our future success. In addition, even if we effectively develop and implement succession plans and make key leadership transitions, such as our planned CEO transition in May 2026 that we announced on January 13, 2026, we cannot provide assurances as to whether we may experience management or other challenges in connection with any of those leadership transitions that could adversely affect our future success and could otherwise materially adversely affect our business, reputation, results of operations, and financial condition.

Our continued success is substantially dependent on our ability to attract, develop, and retain highly capable and skilled employees and leaders. As we continue to grow our business, expand our geographic scope, and develop and offer innovative, new products and services, we require an engaged, qualified workforce and the organizational talent necessary to ensure effective succession for our senior leadership and other key personnel. Competition for experienced leaders and 24 24 24 employees, particularly for persons with specialized skills, can be intense. Our ability to recruit and retain such talent will depend on a number of factors, including compensation and benefits, work location, flexibility regarding virtual and hybrid work arrangements, work environment, corporate culture, and development opportunities. Furthermore, a more competitive labor market has made it more difficult and costly to attract qualified labor, and prolonged shortages could adversely affect our ability to achieve our business objectives. The loss of the services of, or our failure to recruit or develop and implement effective succession plans for, our senior leadership, other key personnel, and employees may significantly delay or prevent the achievement of our strategic objectives, disrupt our operations, and adversely affect our business and our future success. In addition, even if we effectively develop and implement succession plans and make key leadership transitions, we cannot provide assurances as to whether we may experience management or other challenges in connection with any of those leadership transitions that could adversely affect our future success and could otherwise materially adversely affect our business, reputation, results of operations, and financial condition.

We have built, and expect to continue to build, AI into many of our product and service offerings, and we expect this element of our business to grow. We also use and are investing in AI tools for our internal business operations, including to generate code, develop products and services, and increase operational efficiency. We envision a future in which responsible AI operating in our devices, applications, and the cloud helps our customers be more productive in their business activities and interactions with consumers, and we effectively use AI in our operations to improve innovation, efficiency, and customer experience and value. As with many disruptive innovations, AI presents risks and challenges. AI algorithms and models may be flawed. Datasets may be insufficient or contain information that is non-representative, infringing, or otherwise subject to legal challenge. Our competitors may incorporate AI into their products, services, and operations more quickly, more successfully and more cost-effectively than us, which could impede our ability to compete. Existing and potential government regulation related to AI use may also foreclose certain areas of AI use, cause us to modify how we use AI, and increase the burden and cost of research and development and compliance in this area, and there is uncertainty around the validity and enforceability of intellectual property rights related to the use, development, and deployment of AI. Our use of AI may also lead to novel cybersecurity or privacy risks, which may adversely affect our operations and reputation. Failure to properly remediate AI usage issues may cause public confidence in AI to be undermined, which could slow adoption of AI in our offerings. The rapid evolution of AI combined with the evolving and unharmonized legal and regulatory landscape will require the application of resources to develop, test, and maintain our products and services to help ensure that AI is implemented in a manner to minimize unintended, harmful impact and to comply with applicable law. Although we continue to invest in AI, those investments may be substantial, and there can be no assurance that our investments will be beneficial to our business. Further, while we strive to develop and use AI responsibly and in compliance with law, including through implementing strong governance processes, there can be no assurance that we will address all AI-related issues that may arise. The failure to address such issues could damage our reputation, give rise to legal and/or regulatory action, or otherwise adversely affect our business.

We have built, and expect to continue to build, AI into many of our product and service offerings, and we expect this element of our business to grow. We envision a future in which responsible AI operating in our devices, applications, and the cloud, helps our customers be more productive in their business activities and interactions with consumers. As with many disruptive innovations, AI presents risks and challenges that could affect its adoption, and therefore our business. AI algorithms and models may be flawed. Datasets may be insufficient or contain information that is non-representative, infringing, or otherwise subject to legal challenge. Existing and potential government regulation related to AI use may also foreclose certain areas of AI use, cause us to modify how we use AI, and increase the burden and cost of research and development in this area, and failure to properly remediate AI usage issues may cause public confidence in AI to be undermined, which could slow adoption of AI in our offerings. The rapid evolution of AI will require the application of resources to develop, test, and maintain our products and services to help ensure that AI is implemented in a manner to minimize unintended, harmful impact and to comply with applicable law. Furthermore, over the last two years, there have been multiple class action lawsuits filed against large language model developers in the Northern District of California, the Southern District of New York, and the Middle District of Tennessee concerning alleged copyright and other intellectual property violations with respect to the information used to train AI models. The outcomes of these litigations may impair our ability to provide our AI technologies.